December 23, 2015

Leaked documents that were not attributed to Snowden

Since June 2013, numerous top secret documents from the American signals intelligence agency NSA and its British counterpart GCHQ have been disclosed. The overwhelming majority of them came from the former NSA contractor Edward Snowden.

But what many people probably didn't notice, is that some of these documents (some being very compromising and embarrassing for NSA) were not provided by Snowden, but by other leakers.

Often, the press reports didn't mention that very clear, and it was only by not attributing such documents to Snowden, that it became clear they apparently came from someone else.

So far, the following classified documents have been disclosed without having been attributed to Snowden:

The most user-friendly collection of all the leaked documents can be found on the website IC Off The Record (which started as a parody on IC On The Record, the official US government website on which declassified documents are published).

Other websites that collect leaked documents related to the Five Eyes agencies, so from Snowden as well as from other sources, are FVEY Docs and Cryptome. The Snowden-documents are also available and searchable through the Snowden Surveillance Archive.

Also not included are stories based upon leaks of information without original documents being published, like for example about NSA's interception efforts against Israel or the intercepted communications of the Russian oligarch Yevgeniy Prigozhin.

- Documents not attributed to Snowden -

Chancellor Merkel tasking record

On October 23, 2013, the German magazine Der Spiegel revealed that the NSA may have eavesdropped on the cell phone of chancellor Merkel. This was based upon "the excerpt from an NSA database about Merkel's cell phone", which the magazine received.* A journalist from Der Spiegel made a transcription of the database record, and later on, a copy of this transcription was printed in some German newspapers.
Glenn Greenwald confirmed that this information didn't came from the Snowden archive, and also Bruce Schneier was convinced that this came from a second source.

On December 29, 2013, the German magazine Der Spiegel published a 50-page catalog from the ANT-unit of NSA's hacking division TAO. It contains a wide range of sophisticated hacking and eavesdropping techniques. The next day, Jacob Appelbaum discussed them during his presentation at the CCC in Berlin.
According to Bruce Schneier this catalog came from the second source, who also leaked the Merkel tasking record and the XKEYSCORE rules.

On July 3, 2014, the German regional television magazine Reporter disclosed the transcripts of a set of rules used by the NSA's XKEYSCORE system to automatically execute frequently used search terms, including correlating different identities of a certain target.
According to Bruce Schneier, these rules could be leaked by the second source, which also provided the Merkel tasking record and the TAO catalog.

On July 23, 2014, the website The Intercept published a manual from the US National CounterTerrorism Center (NCTC) with rules and indications used for putting people in terrorist databases and no-fly lists.
The Intercept says this document was provided by a "source within the intelligence community".

On August 5, 2014, The Intercept published a report from the US National CounterTerrorism Center (NCTC) about terrorist watchlists and databases.
Just like the previous document, this was also obtained from a "source within the intelligence community". Bruce Schneier says this report is from August 2013, which is well after Snowden had fled the US, and therefore he assumes it was leaked by a third source.

On March 14 and March 22, 2015, The New Zealand Herald published transcripts of two sets of XKEYSCORE fingerprints that define targets of the New Zealand signals intelligence agency GCSB. They were not attributed to Snowden, although in the weeks before, New Zealand media published several other documents that did come from the Snowden cache.

On April 17, 2015, The Intercept and Der Spiegel published a series of slides showing the infrastructure which is used for operating drones, for which the US base in Ramstein, Germany, acts as a relay station.
In the Citizen Four we see Glenn Greenwald visiting Snowden in Moscow, telling him there's a new source which revealed the role of Ramstein AFB in the drone program.

On June 23, 2015, Wikileaks, in collaboration with the French paper Libération, the German newspaper Süddeutsche Zeitung and the Italian paper l'Espresso, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level French targets.

On July 1, 2015, Wikileaks, in collaboration with Libération and Mediapart, Süddeutsche Zeitung and l'Espresso, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level German targets.

On July 4, 2015, Wikileaks published the transcript of entries from an NSA tasking database about high-level Brazilian targets. Unlike similar disclosures about France, Germany and Japan, no intelligence reports about Brazil were disclosed.

On July 31, 2015, Wikileaks, in collaboration with Süddeutsche Zeitung, l'Espresso, The Saturday Paper from Australia and the Japanese newspaper Asahi Shimbun, published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level Japanese targets.

On July 30 and August 10, 2015, NBC News published two slides about Chinese cyber espionage against over 600 US companies and government agencies, including access to the e-mail of top government officials since at least 2010.
This leak stands out because the slides are in digital form, and they support a story that shows the neccessity of NSA - which seems to point to an authorized leak.

On August 26, 2015, the German newspaper Die Zeit published the transcript of the Terms of Reference (ToR) about the use of NSA's XKEYSCORE system by the German security service BfV.
Being a transcript and being about XKEYSCORE, this could be from the same source as the XKEYSCORE rules, but it's also possible it came from a source within a German government agency.

On October 15, 2015, The Intercept published a series of documents with details about drone operations by the US military between 2011 and 2013.
In the Citizen Four we see Glenn Greenwald visiting Snowden in Moscow, telling him there's a new source which revealed the role of Ramstein AFB in the drone program, including the chain of command diagram which is part of this batch of documents.

On December 17, 2015, The Intercept published a range of pages from a classified catalogue containing cellphone surveillance equipment, including IMSI-catchers like Stingrays and DRT boxes.
Just like the NCTC reports, The Intercept obtained this document from a "source within the intelligence community".

On February 14, 2016, the website Cryptome published a batch of word and some pdf-documents containing various US military manuals and policy papers regarding operations and activities in Iraq and Afghanistan.

On February 23, 2016, Wikileaks published the transcript of entries from an NSA tasking database, as well as intelligence reports about high-level targets from the European Union, Italy and the United Nations, including German chancellor Merkel and Israeli prime minister Netanyahu.

On August 15, 2016, someone or a group called The Shadow Brokers published a large set of computer code attributed to the Equation Group, which is considered part of the NSA's TAO division. Many of these hacking tools affected hardware firewalls, from companies such as Cisco and Juniper.

On October 6, 2016, the website The Intercept published a set of documents and copies of presentation slides about how the FBI cooperates with US Customs and Border Protection (CBP) to gather intelligence from border controls.
These documents were provided by an "intelligence community source familiar with the process who is concerned about the FBI’s treatment of Muslim communities".

On October 31, 2016, the Shadow Brokers published new files containing some more hacking tools and a list of 352 IP addresses and 306 domain names the Equation Group, considered part of NSA's TAO division, may have used for their operations.

On January 12, 2017, the Shadow Brokers published a final message accompanied by 61 Windows-formatted binary files, including executables, dynamic link libraries, and device drivers, which are also considered to have been tools from the NSA's TAO hacking division.

On March 7, 2017, Wikileaks published 8761 documents and files, including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation, used to penetrate smartphones, smart televisions and computer systems. These files allegedly came from an high-security network inside the CIA's Center for Cyber Intelligence (CCI).

On April 8, 2017, the Shadow Brokers were back and released the password for an encrypted data set released when they announced their file auction. The data set includes a range of exploits, including for the Unix operating system Solaris.

On April 14, 2017, the Shadow Brokers published an archive containing a series of Windows exploits and documents about NSA's infiltration of the banking network SWIFT, for the first time including several Top Secret NSA powerpoint presentations, similar to those leaked by Snowden.

On June 5, 2017, The Intercept published an NSA report about a months-long Russian cyber operation against parts of the US election and voting infrastructure.
Only an hour af this publication, the US government announced that they will charge Reality Leigh Winner, who worked as a contractor linguist for NSA, for leaking this report.

On September 6, 2017, the Shadow Brokers came with a message on Steemit.com about their "subscription service" for alleged TAO hacking tools. As an example, the manual for the UNITEDRAKE "remote collection system for Windows targets" was released in full.

It is difficult to tell exactly from how many different leakers these documents come. The journalists involved will of course do everything to hide their source's identity, including creating distraction and confusion, but also creating the impression that many other leakers followed the example of Edward Snowden.

Some thoughts on the form of the documents

Content-wise the documents from the alleged other sources are not very different from the ones from Snowden. But what seems to distinguish them most, is their form, which is either digital, a transcript or scanned from paper.

Digital

Almost all documents that were attributed to Snowden came in their original digital form (with some very fewexceptions that were scanned from paper). This makes it remarkable that only two documents from the other sources are in a similar digital form.

The first one is the famous TAO Product Catalog with hacking and eavesdropping techniques, which also given its content comes closest to the Snowden documents. Despite that, this catalog was never attributed to him.

The other leak in digital form are the two slides about Chinese cyber espionage, but these probably come from a source in support of the US government.

Transcripts

A number of other leaks didn't provide documents in their original form, but only transcripts thereof. This is the case for the following revelations:

The lists from an NSA tasking database with targets for France, Germany, Brazil and Japan are also transcripts, but for the intelligence reports, which Wikileaks published simultaneously, we have at least one example that is in its original format. All other ones came as transcripts.

Scanned from paper

All other documents that didn't came from Snowden look like they were printed out (some were even recognized as being double-sided) and scanned again. This is the case for:

This doesn't automatically mean they are all from the same source, as two of them are from the civilian NCTC and the other three are clearly from a military context.

We don't know when or where these documents were printed out: maybe it was done by the leaker, for whom it could have been easier to exfiltrate them as hard copy, than on a detectable thumb drive.

It's also possible that they were printed out by the press contact in order to make them look different from the Snowden documents. But on the other hand, publishing them in digital form would have made it more difficult to prove they were not from the Snowden cache.

Some thoughts on the motives behind the leaks

We can also take a look at the motives that could have been behind these leaks. Interestingly, these seem to correspond quite well with the different forms the documents have.

A second source

The disclosures of the transcriptions of the XKEYSCORE rules and the tasking database lists are quite far from being in the public interest. They are about legitimate targets of foreign intelligence and publishing them seems solely meant to discredit the NSA and/or damage US foreign relationships.

The same applies to the TAO Product Catalog, which contains devices and methods that are only used against "hard targets" that cannot be reached by other means, so this is not about spying on ordinary citizens, but does compromise valid US intelligence operations.

At first sight, one would assume that these documents were from the Snowden cache, but published by people like Appelbaum and an organization like Wikileaks, who have a more radical approach than Snowden himself, and maybe therefore could have pretended they came from another source.

However, both Greenwald and security expert Bruce Schneier said these documents were really provided by another leaker. Because a number of them were published by German media, Schneier guesses it might be "either an NSA employee or contractor working in Germany, or someone from German intelligence who has access to NSA documents".

If that's the case, then it's not only remarkable that there's a second source from within or close to NSA, but also that this source is apparently fine with leaking documents that show no abuses, but only seriously harm US interests - which is either treason, or the work of a hostile intelligence agency. Snowden at least acted from his concern about increasing mass surveillance on innocent civilians.

Update:
So far, the last publication that can be attributed to the Second Source were the NSA tasking & reporting files in February 2016. Then in August of that year, someone or a group who called themselves The Shadow Brokers, started a series of leaks, mainly of TAO hacking tools. They are published without an intermediary like media outlets or Wikileaks (although already in August 2016, Wikileaks claimed to have its own copy of the Shadow Brokers files, but never released them).
The Shadow Brokers leaks undermine NSA operations in a similar way as those of the Second Source, so it's vey well possible that the same person is behind both series of leaks. Also interesting is that the latest timestamp found in the Shadow Brokers files is October 18, 2013, which is around the same time the first leak from the Second Source came out.

A third source

The documents that are scanned from paper are a somewhat different story. These are about issues that concern a wider range of people. For some of them, The Intercept even gives the reason why the source leaked them: for the cellphone surveillance catalogue it was because of a concern about militarization of domestic law enforcement.

For the drone papers, the source is cited saying: "This outrageous explosion of watchlisting [...] assigning them death sentences without notice, on a worldwide battlefield". Given that he mentions watchlists, it seems very well possible that this source actually also leaked the two NCTC reports about terrorist databases and watchlists.

Combining this with the fact that both the NCTC reports and the cellphone surveillance catalog were from a source "within the intelligence community" seems to confirm that all the documents that came as scanned from paper are from the same leaker - maybe someone from a military intelligence agency like the DIA.

Also from an "intelligence community source" are several FBI & CBP documents about intelligence gathering at US border controls - something that is also closely related to watchlisting.

Conclusion

Given these thoughts on the form of the leaked documents and the possible motives behind these leaks, it seems that they can be attributed to at least three other sources, beside Snowden:

On October 6, 2016, The New York Times reported that on August 27, 2016, the FBI arrested 51-year old Harold T. Martin III, who worked at NSA as a contractor for Booz Allen Hamilton. He was described as a hoarder and on February 8, 2017 he was only indicted on charges of stealing and retaining the largest heist of classified information in US history: from the 1990s until 2016, he took documents from US Cyber Command, CIA, National Reconnaissance Office (NRO) and NSA. Martin was not accused of passing information to foreigners, nor of being the source for the Shadow Brokers publications.

On November 19, 2016, it was reported by the Washington Post that there had been yet another, previously undisclosed breach of cybertools, which was discovered in the summer of 2015. This was also carried out by a TAO employee, who had also been arrested, but his case was not made public. An official said that it is not believed that this individual shared the material with another country.

In October 2017, the Wall Street Journal and the Washington Post revealed that this anonymous TAO employee had taken hacking tools home to work on it on his private laptop, which ran Kaspersky antivirus software. This program detected the hacking files after which Russian hackers targeted his laptop. The TAO employee was removed from his job in 2015, but was not thought to have taken the files to provide them to a foreign spy agency.

From the court documents, we learn that this TAO employee is 67-year old Nghia H. Pho from Ellicott City, Maryland, who was born in Vietnam and naturalized as a US citizen. From 2006 to 2016, he worked as a software developer at NSA's TAO division, and from 2010 till March 2015, he took classified documents home, both digital and hard copy.

On April 20, 2017, CBS News reported that CIA and FBI started a joint investigation into the leak of the CIA hacking tools that were published by Wikileaks under the name "Vault 7". Investigators are apparently looking for an insider, either a CIA employee or contractor, who had physical access to the material.

An updated overview of the Shadow Brokers story was published by the New York Times on November 12, 2017, saying that investigators were worried that one or more leakers may still be inside NSA and also that the small number of specialists who have worked both at TAO and at the CIA came in for particular attention, out of concern that a single leaker might be responsible for both the Shadow Brokers and the files published by Wikileaks as part of their Vault7 and Vault8 series (although the CIA files are more recent).

In May 2018 it was reported that in March 2017, two months after Wikileaks started publishing its Vault7 series, the FBI arrested Joshua Schulte. From May 2010 until November 2016 he worked at the Directorate of Science & Technology (DS&T) of the CIA's National Clandestine Service (NCS), developing Windows and Linux tools to support clandestine operations. Schulte is suspected of stealing the CIA's hacking files, but so far he hasn't been charged.

So, besides the various sources who stole classified material that was leaked to the public, there are at least the following leaks from which (so far, and as far as we know) no documents have been published:

6 comments:

This is a message from Almighty God given to the evil people working in the NSA. This prophecy was given through a prophet named Brian Charles

For it is a fearful thing to fall into the hands of the Living God, you evil workers remember. For I am against you, says the LORD, and you will be defeated forever, says the Great I AM! For I have seen your works of evil around the world, and I am not pleased says the LORD, and I will punish you forever, except you repent, for the gathering of worldwide data collections of My people, as well as the worldlings. I have seen what you have done with My data, using it for your own personal aggrandizement in a politically correct expediency, to build your own data farm to use for later purposes, and for your own evil purposes to destroy My people—both here and abroad. I have seen what you have done in secret places with My data, covering over your evil works with a cloak of classification powers, so that no one can see the full extent of your evil intentions. Did not My servant Snowden reveal before the whole world of your evil machinations with digital data? Therefore I will collapse your bases, destroy your data farm, and destroy the tower of evil you call Fort Meade. For it has reached the high heavens, and I am displeased with it. Your computer monitors I will destroy in a second, your satellites in orbit will I plunge into reentry, and all your evil plans will I abolish in a moment. For I AM A Jealous God, protective of My people, whom you have waged war against with your data collection agency, and your sinister plans for evil. For I will put all your myriad employees and military personnel, and all officers of evil into deepest Hell, except they repent of their evil plans and deeds. For I see the worldwide persecution you are feverishly planning against My people, which will only serve to put yourselves into Hell, the Satanists that you are. For you have even waged war against the Man of War, the LORD God Whom I AM, and you will surely suffer a bitter and ignominious defeat, except you repent and come out of that evil system. For the LORD God Almighty, the God of Israel, the protector of My people, whom you have waged war against, has spoken, Amen!

US Red Phones

Sequence of the real Red Phones, not for the Washington-Moscow Hotline, but for the US Defense Red Switch Network (DRSN). The phones shown here were in use from the early eighties up to the present day and most of them were made by Electrospace Systems Inc. They will be discussed on this weblog later.

Contact

For questions, suggestions and other remarks about this weblog in general or any related issues, please use the following e-mail address: info (at) electrospaces.net

For sending an encrypted e-mail message, you can use the PGP Public Key under this ID: B4515E04

You can also communicate through Twitter: @electrospaces or XMPP/Jabber chat by using the address electrospaces (at) jabber.de

The title picture of this weblog shows the watch floor of the NSA's National Security Operations Center (NSOC) in 2006. The URL of this weblog recalls Electrospace Systems Inc., the company which made most of the top level communications equipment for the US Government. All information on this weblog is obtained from unclassified or publicly available sources.QW5kIGZpbmFsbHksIHRoaXMgaXMgd2hhdCBhIHRleHQgbG9va3MgbGlrZSwgd2hlbiBpdCdzIG9ubHkgZW5jb2RlZCB3aXRoIHRoZSBzdGFuZGFyZCBCYXNlNjQgc3lzdGVtLiBHdWVzcyBob3cgY29tcGxpY2F0ZWQgaXQgbXVzdCBiZSB3aGVuIGEgcmVhbCBzdHJvbmcgYWxnb3JpdGhtIHdhcyB1c2VkLg==